Mozilla blocks vulnerable MS plugin

The Mozilla Foundation took the controversial step this weekend of blocking certain Microsoft plugins - at least one of which contains an exploitable vulnerability - from installing and executing in its Firefox web browser.

As reported over on PC Magazine, the Foundation has chosen to prevent Microsoft's Windows Presentation Foundation plugin from operating within the Firefox browser after Microsoft announced vulnerability MS09-054 in the plugin - a vulnerability which opens up an exploitable hole in the browser.

Perhaps the biggest issue - and the reason why the Foundation has chosen to block the plugin outright - is that, in common with the .Net Framework Assistant add-on - it installs in Firefox automatically as part of the .Net Framework 3.5 Service Pack 1 update, with no user interaction or warning. Uninstalling the plugin or add-on is also somewhat difficult.

This sneaky behaviour may have contributed to the choice to block not only the vulnerable Windows Presentation Foundation plugin, but also the .Net Framework Assistant add-on - a move which has now been reversed with confirmation that the Framework Assistant add-on is not vulnerable.

However, the blocking of the Windows Presentation Foundation plugin remains in effect - causing at least one Microsoft employee to post the warning that "when business users can't use their core business functionality - they uninstall stuff [like Firefox]" to Twitter.

Perhaps the biggest issue with Firefox using its central blacklisting feature against such a large company's software is that, according to vice president of engineering Mike Shaver, the Foundation is unable to distinguish "patched from unpatched, so we're blocking it [the plugin] while we sort that out."

Since then Shaver has posted that work continues on allowing corporate users - or those on Firefox 3.5, at least - the option of overriding the block as the Foundation "[works] to keep our users safe and comfortable with all the tools at our disposal."

Are you pleased to see that the Foundation takes the safety of its users seriously enough to risk the ire of Microsoft, or was it a bad call to block such a major plugin - despite the risk? Should Microsoft get its sweaty mitts off your Firefox browser and stop installing plugins and add-ons without your permission? Share your thoughts over in the forums.